Gartner’s John Pescatore weighs in on the latest chapter in the ongoing Facebook privacy controversy.

Basically, what you see is Facebook taking several steps to protect its customers – advertisers. If they were trying to protect Facebook users, they would have taken very different steps. Because what you don’t see is any real attention to actually addressing the real vulnerabilities.

So, the key takeaway: make sure that you are the actual customer when you trust your data or your customers’ data to a social network or cloud service provider, or any other 3rd party for that matter. A cloud provider can claim they are better at running a data center than you are, but if they are focusing on protecting their advertising revenue, not your data, that claim is meaningless.

Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.

Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”

Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”

Unauthorized, but not illegal, “web scraping” of personal data is big business – $840 million according to an estimate by the Wall St. Journal.

The market for personal data about Internet users is booming, and in the vanguard is the practice of “scraping.” Firms offer to harvest online conversations and collect personal details from social-networking sites, résumé sites and online forums where people might discuss their lives.

The emerging business of web scraping provides some of the raw material for a rapidly expanding data economy. Marketers spent $7.8 billion on online and offline data in 2009, according to the New York management consulting firm Winterberry Group LLC. Spending on data from online sources is set to more than double, to $840 million in 2012 from $410 million in 2009.

The Wall Street Journal’s examination of scraping—a trade that involves personal information as well as many other types of data—is part of the newspaper’s investigation into the business of tracking people’s activities online and selling details about their behavior and personal interests.

The fact-filled article is well worth reading its entirety, but it offers no ideas for a solution. At this point, you have to assume that anything you say on the web is public knowledge.

Posting your location can have unintended consequences. A band of burglars in Nashua, NH were arrested for an estimated 50 burglaries in the area whose locations were chosen based on information they collected from social networks including Facebook.

“Be careful of what you post on these social networking sites,” said Capt. Ron Dickerson of Nashua police. “We know for a fact that some of these players, some of these criminals, were looking on these sites and identifying their targets through these social networking sites.”

Is this spying? To what degree can you “opt out” of these tracking files? It’s not easy for the average web user, but doable. On the other hand, content publishers have a right to monetize their content via advertising and other indirect methods considering they cannot get people to pay directly.

Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.

It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.

ITPRO reported that Ron Bowes, a hacker/security consultant from Skull Security, gathered the personal details of 100 million Facebook users from Facebook’s user directory using Facebook’s standard APIs, and published them in a downloadable file on Pirate Bay.

I suppose that Ron only got 20% of the Facebook population is a reflection of how most people have set their privacy settings. This jives (via ars technica) with a study conducted by researchers at Northeastern and Harvard and published in First Monday showing that college students do in fact care about their privacy on Facebook.

Or maybe Facebook does not really have 500 million users.

What’s even more interesting, are the lazy consumer oriented companies that downloaded the file! I say lazy because they could have done the same thing themselves. Gizmodo, published the list of companies!

This past Friday, the Wall Street Journal wrote an extensive article on the “nefarious” techniques web content sites use to help monetize their mostly free content. WSJ calls it “spying.” It implies that users are unaware that its happening and are helpless to do anything about.

First, if you read the WSJ or this blog, you are no longer unaware. Second, most browsers provide tools to protect your privacy while you are browsing and to delete the “cookies.” Third, since most people are unwilling to pay anything for content, the content providers have little choice but to monetize via advertising. In order achieve reasonable rates, advertisers want to be able to target their ads. Fourth, I believe that most people are OK with the trade-off – free content in exchange for giving up their privacy. If you are not OK with the exchange, see the second point above.

For the most part, I agree with Jeff Jarvis, who takes the Wall St. Journal to task in his post, Cookie Madness.

On the other hand, Wired reported earlier in the week that a lawsuit was filed against Quantcast, a subsidiary of MTV, which allegedly “violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.”

The Wired article goes on to say,

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Quantcast claims it stopped using this technique last August 2009 after Wired had first brought this technique to light.

Sunday morning, some of the 2,301 Facebook friends of venture
capitalist and Facebook board member Jim Breyer received a message from
him, through Facebook. “Would You Like a Facebook Phone Number?” it
asked, presenting a link to “see more details and RSVP.”

While no one would be surprised by a service that allowed users to
call friends from their Facebook accounts, the message was a hack. “This
was a phishing scam and Jim’s account appears to have been
compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The
issue has since been resolved and we’re actively trying to block this
activity.”

Breyer, a partner at Accel Partners, didn’t respond to questions
relating to the message.

At this point there has been no detailed explanation from Facebook explaining how this happened and what steps they are taking to reduce the likelihood of it happening again. Compare Facebook's approach to this breach to Apache's approach to their recent breach which I wrote about here.